I am on alexa 1m (50k even). I do not have a load balancer, I do not have multiple servers for redundancy. This isn't even a static site, most of our page views are the wiki, the server running all of this has 8 cores and 4 are constantly maxxed out by a non-website related process.

Most websites now and days are over engineered.

Checked my old site's rank. ~250000. One VPS, €4/month. Mostly static, but a decent part is served with a not so light Perl CGI script (!). I'm sure I wouldn't get away with that in top 1k websites, but 1m?

> "I am on alexa 1m (50k even). I do not have a load balancer, I do not have multiple servers for redundancy. This isn't even a static site, most of our page views are the wiki, the server running all of this has 8 cores and 4 are constantly maxxed out by a non-website related process.

Most websites now and days are over engineered."

That's awesome! Mind sharing some more details? (hosting plan/CDN/etc). Or even the URL?

Rented dedicated server running a 9900k. Windows hypervisor runs vms. database vm, website vm, and 3 game server vms running on this machine. each game server vm is running 2 instances of the game server, but only 1 ever has high pop.

https://tgstation13.org

Most of our traffic goes to our wiki: we are the most active open source video game on github. Most ss13 servers run their own codebase, forked from ours, but will still frequently point their players to our wiki rather then set one up on their own.

A Cloudflare caching layer was added back in march when we got a 4x spike in web traffic from a youtuber talking about the game.

When you're in that league you probably have expensive people who can deal with the additional complexity.

I mean the next more complicated case isn't that bad either. You set up a sidecar VM/container/machine/whatever-you-want that either instruments your DNS or gets the traffic from .well-known/acme-challenge and just renews your certs every day.

Then your load balancers pull the current cert from the sidecar every day with NFS/Gluster/Ceph/HTTP/whatver-you-want and reload the web server if it changed.

Assuming that you can catch a failure of your sidecar server in 89 days or so you don't need much more redundancy.

That's why you set custom NS records for _acme-challenge.domain.tld to your own NS servers and use the DNS challenge to get your certs.

Shameless plug for Certera for these more complex scenarios: https://docs.certera.io

I found that the certs behind a load balancer were enough of a problem that a solution was needed.

IMHO it is easier to setup SSL on LB. you don't need to setup them one by one, all servers (HTTP, SMTP, POP, IMAP and others) protected by the same SSL certificate, cipher suite with a SSL-terminated LB. Also many LBs support auto-renewal.